PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson
|
|
- Imogene Hicks
- 5 years ago
- Views:
Transcription
1 PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson
2 Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies MCCS Common PCI Findings Making a Difference at MCCS Glossary of Terms
3 What is PCI? PCI stands for Payment Card Industry PCI is an umbrella term used for a comprehensive security program to protect credit card information from accidental disclosure PCI SSC PCI Security Standards Council PCI DSS PCI Data Security Standard Provides protections for all participants in a credit card transaction; Cardholder (Marines, Marine family members, etc.) Merchant (Exchanges, Seven Day Stores, Golf Pro Shop, Clubs, etc.) Banks/Acquirers (Bank of America) Services Providers (Examples?) Card Brands (Visa, MasterCard, American Express, Discover, JCB)
4 PCI Data Security Standard Represents: Merchant and Card industry required data security practices Common Acceptance and participation by multiple card brands (5 TODAY) Establishes a Single Security Auditing Procedures (SAP) Best Way To Protect Credit Card Information For All MCCS Activities. Best Sources of Reference: for PCI Data Security Standards and Requirements (URL: for Business Understanding of Merchant Compliance Requirements (URL: )
5 Evolution of PCI and Card Brand Security Since 2001, Card Brands Security Programs & Enforcement: Visa CISP largely onsite audit driven MasterCard SDP primarily scan, questionnaires American Express DSOP nothing Discover DISC nothing JCB and Diners nothing (also original participants in PCI) PCI Data Security Standard started in 2004 PCI Data Security Standard v1.1 September 2006 Common standard of best practices from individual card brand security programs. Retain individual card brand enforcement programs Maintained by the PCI Security Standards Council PCI Data Security Standard v1.2 October 2008
6 Why PCI Compliance Matters 1. Demonstrates the MCCS commitment to protecting our customers confidential data. 2. Indicates stronger controls & processes to assess IT risk and prevent data compromise. 3. Helps to avoid substantial fines and penalties from card industry. 4. Demonstrates compliance for key customers who demand adherence to the PCI DSS. 5. Provides better protection for Marines and Marine family members. Source: Visa July 2006
7 Payment Card Industry Overview and/or Acquirer (BofA/Chase ) is a member of is a member of Issuer may or may not be the same as Processes transaction for Service Providers Merchant (MCCS Activities) uses payment card to purchase goods or services from issues cards to Cardholder (Marine)
8 PCI Data Security Standard Applies to Who? Anyone who Stores, Processes or Transmits cardholder data Must comply with the PCI DSS Including: Members (Banks & Acquirers Bank of America, Chase Paymentech) Merchants (MCCS Exchanges, Seven Day Stores, Clubs, etc.) Service Providers (Examples?) Network Components (Modems, Wireless Routers, Firewalls, etc.) Servers (In store controller/management systems) Applications (Point of Sale (POS) Software Triversity, HSI, EPOS, etc.) that connect to cardholder data environments.
9 What does PCI protect? The cardholder s identity and confidential data, including: Magnetic stripe (track 1 and track 2 data) Card Verification Values (CVC, CVV2 3 or 4 digit codes printed on back or front of card) Payment Account Numbers (PAN) Personal Identification Numbers (PIN) Passwords Card expiration dates Personal data Name Address Add picture to identify PAN cv codes, stripe?
10 Card Compromises have a Ripple Effect MCCS Data Breach Marines Paymentech Families, Partners, Vendors Direct Impacts MCCS Partners Competitors Visa / MC Indirect Impacts Potential Legislation
11 Why? What s at risk? Data breaches can lead to significant adverse consequences For Marine Corps Community Services: Unwanted media attention i.e. DSW, TJX, Hannafords Lost revenue and/or financial damages Lost time and distractions to Marines and their families Litigation Substantial VISA and MasterCard penalties For the cardholder: Identity theft Unauthorized charges to their credit or debit card account Damage to their personal credit rating Financial losses
12 Cost of a Data Breach Studies estimate the 2007 Cost of a Data Breach at: $197* per compromised credit card record. an average total per-incident cost of - $6.3 million* What does this mean to MCCS? A single MCCS command can conduct up to 650,000 transactions per year or more. Card breaches often take months to be identified All cards used during that period could be compromised or at risk. Total cost to MCCS for a breach at a single base can potentially be up to $128 Million. (650,000 X $197) Fines per Incident: VISA Up to $500,000 MC Often $25 per card = up to $16,250,000 * Source: Ponemon Institute's 2007 Cost of a Data Breach Report
13 Non Compliance Fines and Enforcement Compliance is enforced by MCCS banks and fines start from the Card Brands (Visa / MC) i.e. The security program has teeth! VISA CISP Compliance Fines & Penalties (One brand example) Fines the responsible bank Typically $5,000 $25,000 per month per merchant Bank passes fines on to merchant (MCCS) Bank imposes restrictions on merchant (MCCS)
14 MCCS Goal Utopia: Safe Harbor Safe harbor provides merchants protection from fines in the event that they or one of their service providers experiences a data compromise. To attain safe harbor status MCCS must: Validate compliance with a third party QSA annually Maintain full PCI compliance at all times Demonstrate that prior to a compromise, all PCI compliance validation requirements were fully met.
15 MCCS Compliance Visa & MC VISA and MasterCard Requirements Level One (> 6 mil single card brand transactions/yr): Includes all types of payment card transactions (debit, credit, phone, etc.) Annual on site PCI data security assessment (SAP/ROC) Quarterly network vulnerability scans MCCS is a Level One merchant
16 PCI DSS Technical Requirements
17 PCI Data Security Standard (DSS) 6 Control Objectives The Digital Dozen 12 PCI DSS requirements 226 Detailed security focused sub-requirements
18 PCI DSS Control Objectives 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Monitor and test networks regularly 6. Maintain an information security policy
19 The PCI DSS Digital Dozen 1. Install & Maintain a Secure Firewall Configuration 2. Maintain System Configuration Standards 3. Protect Stored Cardholder Data 4. Encrypt Transmission of Cardholder Data Across Open, Public Networks 5. Use and Regularly Update Anti virus Software or Programs 6. Develop & Maintain Secure Systems & Applications 7. Restrict Access to Cardholder Data By Business Need to Know 8. Assign Unique IDs and Implement Strong Password Controls 9. Restrict Physical Access to Cardholder Data 10. Track and Monitor All Access to Network Resources and Cardholder Data 11. Regularly Test Security Systems & Processes 12. Maintain an Information Security Policy
20 226 Sub Requirements Detailed in the PCI Data Security Standard nload.html Requirement 8: Assign a unique ID to each person with computer access. 8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Password Token devices (for example, SecureID, certificates, or public key) Biometrics. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users
21 What to Do if You Suspect a Compromise Identification 1. Is a secured area found unlocked and confidential information missing? 2. Have you noticed new unidentifiable equipment in the POS area? 3. Do security logs alert you to suspicious activities? Reporting 1. Immediately inform your manager of the compromise. If unavailable, inform the Information Security Manager or IT Point of Contact for your Command. 2. Determine if there is an ongoing threat to customer account information or MCCS network data. Notify the IT\Network Manager immediately.
22 MCCS Common PCI Findings Compiled from onsite PCI assessments performed at 12 bases Most common non technical findings : Management of visitors; badged, authorized, escorted Security of paper credit card receipts and reports Password security Maintaining logs Keeping lockable items locked
23 Challenge Visitors PEDs are now being attacked Attackers are becoming more sophisticated and bold with their attacks. Employees need to be vigilant of visitors; wearing proper badges; properly authorized to be working in area. Do not be afraid to question them. Vigilance can prevent attacks such as these.
24 Kiosk False Front & Hidden Camera Camera hidden inside pamphlet holder next to ATM at the University of Texas campus False front (Skimmer) place over the face of the ATM in Texas. Unauthorized personnel install these devices. Source:
25 Visitor Logging Logs serve a purpose: Require visitor logs for all areas storing or processing cardholder data Enforce the signing of logs by all visitors Retain logs for at least a year
26 Paper Receipt Security and Retention Paper receipts should be stored: In rooms or closets with secured locks In containers marked FOUO (For Official Use Only) with storage and retention dates Containers contents should be: Inventoried Periodically reviewed against inventory lists
27 Records Warehousing Records Warehousing Best Practices The ultimate in records security 27
28 Password Security Passwords should be secure and protected: Minimum of 7 characters Alpha, numeric, and special characters U$mC@1S#1 Do not use common names or words that can be found in the dictionary Do not write down or keep passwords in a public place where they may be discovered (Insert picture of post it note on a monitor)
29 Physical Security Clear desk Do not leave papers or reports containing cardholder data on desktops or areas accessible by customers. Lock all doors, cabinets or draws securing receipts or other papers holding card data. Don t leave passwords on post its or viewable at desks. Do not promote or allow tail gating. Ensure customer receipts and cardholder data are not accessible by those that are not authorized.
30 Making a Difference at MCCS If you accept a customer s credit card for payment, here are some ways you can help to meet PCI DSS compliance: 1. Protect your customer s cardholder data at all times. 2. Don t write down or share customer account information. 3. Don t ask a customer for their CVC or CVV2 when the customer is present to authenticate their own card. 4. If your department uses AVS, do ask a customer to confirm their zip code and address. 5. Be sure to protect merchant receipt copies that have customer payment card account numbers on them.
31 Making a Difference at MCCS If you work in an office that processes payment card transactions, here are some ways you can help to meet PCI DSS compliance : 1. Don t share card data over the phone or with those who are not authorized to have such information. 2. If you work in an area that requires use of payment card data, do not take card data home or leave it on your desk unattended or overnight. (Clean Desk Policy) 3. Use computers for acceptable business purposes only. Do not load personal music, files, or applications or access your personal . (Acceptable Use Policy) 4. Be sure to change your passwords regularly. 5. Learn how to construct a strong computer password. 6. Do not share your passwords with others, even your manager or MCCS IT personnel. 7. Don t leave computers on and unattended. Log out and/or use locked screen savers. 8. Maintain a segregation of duties between development, testing\qa, and production. 9. Be aware of data retention requirements for payment card receipts and related transactions. 10. Read your MCCS Information Security Policy and attend your annual security awareness training.
32 Making a Difference IT If you work in MCCS IT areas, here are some ways you can help to meet PCI DSS compliance : 1. Never store magnetic stripe, CVC2 or PIN data after authorization. 2. Payment card Primary Account Numbers (called PAN) should always be stored encrypted using strong encryption algorithms such as 3DES and AES. 3. Full PANs should be masked when displayed. 4. Payment cardholder data should always be encrypted during transmission over public networks, i.e. wireless or the internet. 5. Access to databases where payment card and other sensitive data resides should be restricted to those with a business need to know. 6. Ensure the use of anti virus software including automatic updates and periodic scans. 7. Do not share your user IDs or passwords. 8. Don t use administrator accounts to perform regular user tasks. 9. Ensure that all non console administrative access is encrypted. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non console administrative access. 10. Restrict physical access to payment card data or systems storing card data. 11. Protect and manage backup media. Store media securely, log removal of media, transfer securely, and destroy securely according to the MCCS data retention policy. 12. Attend annual security awareness training.
33 Making a Difference HR and Training If you work in MCCS HR areas, here are some ways you can help to meet PCI DSS compliance: 1. Ensure that new employees are properly screened and background checks are performed appropriate to their job responsibilities. 2. Inform employees and managers of their obligation to read and understand Information Security Policies. 3. Ensure that new employees are informed of MCCS Acceptable Use Policies for IT equipment and customer information. 4. Ensure that new employees attend IT training including how to change their passwords and how to use and protect customer data. 5. Ensure that managers provide new employees with IT systems access appropriate to their job responsibilities. (business need to know) 6. Inform IT in a timely manner about employee terminations so their user IDs, network and systems access privileges may be removed. 7. Execute periodic security awareness communication programs such as s, notices, posters, etc.
34 Make a Difference Finance\Purchasing If you work in MCCS Finance or Purchasing, here are some ways you can help meet PCI DSS compliance : 1. Store receipts, statements and any other financial data containing cardholder information in a locked file drawer, safe or other designated secure area. 2. If payment card Primary Account Number (called PAN) is downloaded from banks or card brand websites, data should always be stored encrypted. This applies to Excel spreadsheets, Word and PDF documents. 3. Restrict access to PANs to only those individuals in the accounting and finance departments with a business need to know. 4. Storage and inventory of transaction and card receipts should be minimized to only that which is required for business purposes. (i.e. 18 months) 5. Storage areas containing payment card data must be monitored with video cameras and a card access system that provides an audit trail of each individual entry. 6. Maintain accurate and complete logs of all archived or stored data including accounting boxes with card data and receipts stored securely offsite. 7. Do not share passwords. 8. Never send card account numbers via or in any other unsecured manner. 9. Attend annual security awareness training.
35 Making a Difference Facilities If you work in MCCS Facilities, here are some ways you can help to meet PCI DSS compliance : 1. Maintain physical locks and access controls on storage areas these are key to protecting cardholder information. 2. Cardholder receipts and other accounting data that has full payment card Primary Account Numbers (called PAN) should only be accessible only to those with authorized access. 3. Re consider shared access by other departments. 4. Avoid open windows and access points that could lead to theft of data. 5. Operate and maintain video surveillance equipment for secure data areas. 6. Maintain a visitor log that indicates accountability for who accesses areas where sensitive information is stored, transmitted or processed. 7. Retain video recordings for at least 90 days and visitor logs for at least one year in the event of a data compromise. 8. Attend annual security awareness training.
36 Making a Difference Legal, Purchasing, Marketing and Internal Operations If you work at MCCS in Purchasing, Legal, Marketing or Internal Operations, here are some ways you can help to meet PCI DSS compliance: 1. Make sure MCCS contractual agreements for third parties that store, transmit and/or process MCCS cardholder data have appropriate PCI and security language as identified in Req Practice vendor due diligence and management. 3. Ask your vendors how they comply with the PCI DSS. 4. Develop secure mechanisms for sharing card data. (Ask MCCS IT) 5. Review ongoing PCI compliance requirements for all third parties. 6. Develop contract practices to ensure MCCS vendors maintain ongoing PCI compliance, how they inform you and what happens if they don t meet those requirements. 7. Attend annual security awareness training.
37 Where to Get More Information 1. Visa Cardholder Information Security website ( 2. PCI Security Standards Council website (
38 Congratulations! You have completed your Information PCI Anti-terrorism Drug Employee EEO/POSH/No Uncle Annual Security Constitution Free Assurance Sam s Ethics Work Security Assistance Awareness OPSEC Training Level Fear Place Awareness Training 1 Training Training Print and complete this form, then turn in to Human Resources. Print Name & Date Command/Office Signature & Payroll # Supervisor Signature
Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPayment Card Industry Internal Security Assessor: Quick Reference V1.0
PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card
More informationPCI COMPLIANCE IS NO LONGER OPTIONAL
PCI COMPLIANCE IS NO LONGER OPTIONAL YOUR PARTICIPATION IS MANDATORY To protect the data security of your business and your customers, the credit card industry introduced uniform Payment Card Industry
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationPCI DSS 3.2 AWARENESS NOVEMBER 2017
PCI DSS 3.2 AWARENESS NOVEMBER 2017 1 AGENDA PCI STANDARD OVERVIEW PAYMENT ENVIRONMENT 2ACTORS PCI ROLES AND RESPONSIBILITIES MERCHANTS COMPLIANCE PROGRAM PCI DSS 3.2 REQUIREMENTS 2 PCI STANDARD OVERVIEW
More informationAuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives
AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives As companies extend their online
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationPCI Compliance: It's Required, and It's Good for Your Business
PCI Compliance: It's Required, and It's Good for Your Business INTRODUCTION As a merchant who accepts payment cards, you know better than anyone that the war against data fraud is ongoing and escalating.
More informationNavigating the PCI DSS Challenge. 29 April 2011
Navigating the PCI DSS Challenge 29 April 2011 Agenda 1. Overview of Threat and Compliance Landscape 2. Introduction to the PCI Security Standards 3. Payment Brand Compliance Programs 4. PCI DSS Scope
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationThe Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels
The Devil is in the Details: The Secrets to Complying with PCI Requirements Michelle Kaiser Bray Faegre Baker Daniels 1 PCI DSS: What? PCI DSS = Payment Card Industry Data Security Standard Payment card
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationPayment Card Industry Data Security Standards Version 1.1, September 2006
Payment Card Industry Data Security Standards Version 1.1, September 2006 Carl Grayson Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS v1.1 in More Detail Discussion, Questions and
More informationPayment Card Industry - Data Security Standard (PCI-DSS)
Payment Card Industry - Data Security Standard (PCI-DSS) Tills Security Standard (SAQ P2PE) Version 1-0-0 14 March 2018 University of Leeds 2018 The intellectual property contained within this publication
More informationEnforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 1 The PCI Data Security
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationMerchant Guide to PCI DSS
0800 085 3867 www.cardpayaa.com Merchant Guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 Card Pay from the AA Simple PCI DSS - 3 step
More informationPCI compliance the what and the why Executing through excellence
PCI compliance the what and the why Executing through excellence Tejinder Basi, Partner Tarlok Birdi, Senior Manager May 27, 2009 Agenda 1. Introduction 2. Background 3. What problem are we trying to solve?
More informationSite Data Protection (SDP) Program Update
Advanced Payments October 9, 2006 Site Data Protection (SDP) Program Update Agenda Security Landscape PCI Security Standards Council SDP Program October 9, 2006 SDP Program Update 2 Security Landscape
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationA Perfect Fit: Understanding the Interrelationship of the PCI Standards
A Perfect Fit: Understanding the Interrelationship of the PCI Standards 9/5/2008 Agenda Who is the Council? Goals and target for today s Webinar Overview of the Standards and who s who PCI DSS PA-DSS PED
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) 1 13 13 76 banksa.com.au CONTENTS Page Contents 1 Introduction 2 What are the 12 key requirements of PCIDSS? 3 Protect your business
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationSection 1: Assessment Information
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security
More informationReady Theatre Systems RTS POS
Ready Theatre Systems RTS POS PCI PA-DSS Implementation Guide Revision: 2.0 September, 2010 Ready Theatre Systems, LLC - www.rts-solutions.com Table of Contents: Introduction to PCI PA DSS Compliance 2
More informationGUIDE TO STAYING OUT OF PCI SCOPE
GUIDE TO STAYING OUT OF PCI SCOPE FIND ANSWERS TO... - What does PCI Compliance Mean? - How to Follow Sensitive Data Guidelines - What Does In Scope Mean? - How Can Noncompliance Damage a Business? - How
More informationJune 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.
If your business processes Visa and MasterCard debit or credit card transactions, you need to have Payment Card Industry Data Security Standard (PCI DSS) compliance. We understand that PCI DSS requirements
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION FROM RESULTS Technology CONTENTS Overview.... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationUniversity of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C
University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C All university merchant departments accepting credit cards
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More informationThe PCI Security Standards Council
The PCI Security Standards Council 2/29/2008 Agenda The PCI SSC Roles and Responsibilities How To Get Involved PCI SSC Vendor Programs PCI SSC Standards PCI DSS Version 1.1 Revised SAQ 2/29/2008 2 The
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationA QUICK PRIMER ON PCI DSS VERSION 3.0
1 A QUICK PRIMER ON PCI DSS VERSION 3.0 This white paper shows you how to use the PCI 3 compliance process to help avoid costly data security breaches, using various service provider tools or on your own.
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only No
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide
PCI DSS VERSION 1.1 1 PCI DSS Table of contents 1. Understanding the Payment Card Industry Data Security Standard... 3 1.1. What is PCI DSS?... 3 2. Merchant Levels and Validation Requirements... 3 2.1.
More informationInformation Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)
Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments - Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPCI & You: more than you wanted to know.
PCI Training PCI & You: more than you wanted to know. Presented by: Date: Jason Murray February 1, 2017 Payment Card Industry Security Standards Many Different Forms of Payment Pay Now Pay Later Pay in
More informationPAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) B GUIDE
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) B GUIDE Last Reviewed: December 13, 2017 Last Updated: December 19, 2017 PCI DSS Version: V3.2, Rev 1.1 Prepared for: The
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHow do you manage your customers payment card details securely and responsibly? White paper PCI DSS
How do you manage your customers payment card details securely and responsibly? White paper PCI DSS Contents Introduction Gaining trust 3 Definition What is PCI DSS? 4 Objectives What is the purpose of
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationThe Prioritized Approach to Pursue PCI DSS Compliance
PCI DSS PrIorItIzeD APProACh The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, requirements structure for securing cardholder
More informationPCI DSS Illuminating the Grey 25 August Roger Greyling
PCI DSS Illuminating the Grey 25 August 2010 Roger Greyling +64 21 507 522 roger.greyling@security-assessment.com Lightweight Intro Dark Myths of PCI 3 Shades of Grey The Payment Card Industry Data Security
More informationSection 1: Assessment Information
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security
More informationPayment Card Industry (PCI) Compliance
Payment Card Industry (PCI) Compliance February 13, 2019 To Receive CPE Credit Individuals Participate in entire webinar Answer polls when they are provided Groups Group leader is the person who registered
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance Hardware Payment Terminals in a Validated P2PE Solution only, No Electronic Cardholder
More informationFAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft
The Worldpay PCI Program Help protect your business and your customers from data theft What is the Payment Card Industry Data Security Standard (PCI DSS)? Do I have to comply? The PCI DSS is a set of 12
More informationPCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security
White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Merchants Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission This
More informationPayment Card Industry Self-Assessment Questionnaire
Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements
More informationWhite paper PCI DSS. How do you manage your customers payment card details securely and responsibly?
White paper PCI DSS How do you manage your customers payment card details securely and responsibly? Inhalt Introduction 3 Gaining trust Definition 4 What is PCI DSS? Objectives 6 What is the purpose of
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire A-EP For use with PCI DSS Version 3.2.1 July 2018 Section 1: Assessment Information Instructions
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationPCI PA-DSS Implementation Guide
PCI PA-DSS Implementation Guide For Atos Worldline Banksys XENTA, XENTEO, XENTEO ECO, XENOA ECO YOMANI and YOMANI XR terminals using the Point BKX Payment Core Software Versions A05.01 and A05.02 Version
More informationAttestation of Compliance, SAQ D
Attestation of Compliance, SAQ D Instructions for Submission The merchant must complete this Attestation of Compliance as a declaration of the merchant's compliance status with the Payment Card Industry
More informationEnabling compliance with the PCI Data Security Standards December 2007
December 2007 Employing IBM Database Encryption Expert to meet encryption and access control requirements for the Payment Card Industry Data Security Standards (PCI DSS) Page 2 Introduction In 2004, Visa
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only No
More informationJune 2012 First Data PCI RAPID COMPLY SM Solution
June 2012 First Data PCI RAPID COMPLY SM Solution You don t have to be a security expert to be compliant. Developer: 06 Rev: 05/03/2012 V: 1.0 Agenda Research Background Product Overview Steps to becoming
More informationSIP Trunks. PCI compliance paired with agile and cost-effective telephony
SIP Trunks PCI compliance paired with agile and cost-effective telephony What is PCI DSS compliance? What does this mean for you? The Payment Card Industry Data Security Standard (PCI DSS) is the proprietary
More informationPCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90
PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90 Revision history Revision Date Author Comments 0.1 2013-10-04 Robert Hansson Created 1.0 2014-01-14 Robert Hansson Review
More informationPoint PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201
Point PA-DSS Implementation Guide Banksys Yomani 1.04 VeriFone & PAX VPFIPA0201 Implementation Guide Contents 1 Revision history 1 2 Introduction 2 3 Document use 2 3.1 Important notes 2 4 Summary of requirements
More informationPCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)
PCI PA - DSS Point Vx Implementation Guide For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC) Version 2.02 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm,
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Standalone Dial-out Terminals Only, No Electronic Cardholder Data Storage
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPA-DSS Implementation Guide For
PA-DSS Implementation Guide For, CAGE (Card Authorization Gateway Engine), Version 4.0 PCI PADSS Certification 2.0 December 10, 2013. Table of Contents 1. Purpose... 4 2. Delete sensitive authentication
More informationPayment Card Industry Data Security Standard (PCI DSS) Incident Response Plan
1. Introduction This defines what constitutes a security incident specific to Yonder s Cardholder Data Environment (CDE) and outlines the incident response phases. For the purpose of this Plan, an incident
More informationISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview
ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview February 10, 2011 Quick Overview RSM McGladrey, Inc. Greg Schu, Managing Director/Partner Kelly Hughes, Director When considered with
More informationPolicy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4
Policy Sensitive Information Version 3.4 Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of
More informationPayment Card Industry Compliance. OWASP January 23, Pat Massey Ralf Durkee Maureen Baran
Payment Card Industry Compliance OWASP January 23, 2006 Pat Massey Ralf Durkee Maureen Baran Background Due to the increasing fraud levels and theft of credit card information, the major card agencies
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationCity of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR
City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR Examples of Government data breaches in 2016, listing number
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationImplementation Guide. Payment Card Industry Data Security Standard 2.0. Guide version 4.0
Implementation Guide Payment Card Industry Data Security Standard 2.0 Guide version 4.0 Copyright 2012 Payment Processing Partners Inc. All rights reserved. ChargeItPro and ChargeItPro EasyIntegrator are
More informationIDENTITY THEFT PREVENTION Policy Statement
Responsible University Officials: Vice President for Financial Operations and Treasurer Responsible Office: Office of Financial Operations Origination Date: October 13, 2009 IDENTITY THEFT PREVENTION Policy
More informationFore! Reservations PA-DSS Implementation Guide
2011 Fore! Reservations PA-DSS Implementation Guide This document is intended as a quick reference guide to the implementation of Fore! Reservations 2011 version 14.8 in a manner that complies with PCI
More information